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Microsoft SharePoint Authentication 


Thank you for your interest in authenticated scanning! When you configure and use 
authentication, you get a more in-depth assessment of your hosts, the most accurate results and 
fewer false positives. This document provides tips and best practices for setting up Microsoft 
SharePoint authentication for MS SharePoint 2010, 2013, 2016 and 2019. 


A few things to consider 


Do | have to use authentication? 


Yes, authentication is required for compliance scans. Choose the type of authentication you 
want to perform: Windows or MS SQL Database. If you choose Windows, provide the name of the 
Windows domain where the account is stored. The domain name is required because the 
scanning engine must associate the operating system account with the MS SQL Server database 
account for authentication. 


Are my credentials safe? 


Yes, credentials are exclusively used for READ access to your system. The service does not 
modify or write anything on the device in any way. Credentials are securely handled by the 
service and are only used for the duration of the scan. 


Which technologies are supported? 
For the most current list of supported authentication technologies and the versions that have 
been certified for VM and PC by record type, please refer to the following article: 


Authentication Technologies Matrix 


What are the steps? 


First, set up a user account and privileges on target hosts (we'll help you with this below). Then, 
using Qualys Policy Compliance, complete these steps: 1) Add Windows and Microsoft 
SharePoint authentication records. 2) Launch a compliance scan. 3) Run the Authentication 
Report to view the authentication status (Passed or Failed) for each scanned host. 


Scan User Privileges and Configurations 


Follow detailed instructions in these sections of the document: 

Part 1: System Configuration Requirements 

Part 2: Scan User Privileges (Windows and MS SQL Database) 

Part 3: Verify Scan User Membership and Test Connection by PowerShell Script 
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Part 1: System Configuration Requirements 


- Set PowerShell Execution Policies 
- Verify WinRM IIS Extensions 
- Enable Windows Authentication for PowerShell Virtual Directory 


1) Open a Windows PowerShell window. Open by selecting Run as administrator and run the 
command as shown: 


Set-ExecutionPolicy RemoteSigned 


Also check if Remote PowerShell is Enabled on the host: 


2) Enable the WinRM IIS Extensions under Add Roles and Features in Server Manager. 


Windows Remote Management (WinRM) IIS Extension enables a server to receive a management 
request from a client computer by using the WS-Management protocol. WinRM is the Microsoft 
implementation of the WS-Management protocol. This helps secure communication between 
local and remote computers by using Web-based services. 


Steps shown in the images below: 


E Add Roles and Features Wizard — Oo x 


DESTINATION SERVER 


Select features SVR. winadmins Joca 
Before You Begin Select one or more features to install on the selected server. 
installation Type Features Description 
Telnet Client Windows Remote Management 
C TFTP Client (WinRM) IIS Extension enables a 
|_| VM Shielding Tools for Fabric Management server to receive a management 
C] Windows Biometric Framework request from a client by using WS- 
Confirmation b (| Windows Defender Features (Installed) Management. WinRM is the 
_] Windows Identity Foundation 3.5 Microsoft implementation of the 
__] Windows Internal Database WS-Management protocol which 
b [E] Windows PowerShell (2 of 5 installed) provides a secure way to 
b [m] Windows Process Activation Service (2 of 3 installe communicate with local and remote 
Windows Search Service computers by using Web services. 


Windows Server Backup 
] Windows Server Migration Tools 
Windows Standards-Based Storage Management 


_] Wireless LAN Service 
v WoW64 Support (Installed) 
[C] XPS Viewer 
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Ē Add Roles and Features Wizard = o x 


DESTINATION SERVER 


Installation progress SVR minadminsJocai 


View installation progress 


fi} Feature installation 
———— 
Installation succeeded on SVR1.winadmins.local. 


WinRM IIS Extension 


You can close this wizard without interrupting running tasks. View task progress or open this 
page again by clicking Notifications in the command bar, and then Task Details. 


Export configuration settings 


< Previous | Next > Cancel 


3) Log in to your Sharepoint 2010+ server and enable the Windows Authentication on the 
PowerShell site. 


- Open the Internet Information Services (IIS) Manager console. 
- Connect to the SharePoint Server. 


- Open Sites > SharePoint Central Administration > PowerShell, and open Authentication. 


@ > WIN-RGJLENL7HV > Sites » SharePoint Central Administration v4 > 


File View Help 
e aia ie @ SharePoint Central Administration v4 Home 
ply Start Page m + Y Go - GHShowAl | Group by: Area -E> 


4 CEI WIN-RGJJLENL7HV (SHAREPOINT\administrator) 


--@ Application Pools AppFabric g 
4 {3} Sites do à 
b -@ Default Web Site Pi ol 
> @ pcdev Internet Site AppFabric Endpoints Services 
pb -@ SharePoint - 29929 Dashboard 
b @ SharePoint - 80 ASP.NET 5 
b @ SharePoint Central Administration v4 x 


b -@ SharePoint Web Services \ ae) Z @ m ® ® R o P 
NET NET 


: „NET Error «NET Profile .NET Roles .NET Trust .NET Users Application Connection Machine Key 
Authorizat... Compilation Pages Globalization Levels Settings Strings 


t 

è 

\ a 8 & & 
`% 


Pagesand Providers Session State SMTP E-mail 


` Controls 
\ lis a 
` N N 
> E À = Ets =| = 
wom) a J o E B I a g 
Authenticati: Authorizat... Compression Default Directory Error Pages Failed Handler HTTP HTTP IP Address 
on Rules Document Browsing Request Tra... Mappings Redirect Respon... and Doma... 
a: FEA ES F 
wi r adr & g 
ISAPI Filters Logging MIME Types Modules Output Request SSL Settings WebDAV 
Caching Filtering Authori. 
Management a 


a g 


Confienrat IIS Mananer 
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B 


Enable Windows Authentication. Right click on Windows Authentication and select Providers as 
NTLM or Negotiate. 


(@ » CEXCHANGE2013MB > Sites » Default WebSite » PowerShell » 


File View Help 


Ð Authentication 
@e Hale ‘AY Click here to learn howto 
p Start Page = configure Extended 
F Gr * a 
4-83 CEXCHANGE2013MB (COM2012R2\exchange2013) pei No sina Protection. 
[iB Application Pools Name Status Response Type 
2 Sites Anonymous Authentication Disabled 

4-@ Default Web Site ASP.NET Impersonation Disabled Disable 

|p Bl aspnet client Basic Authentication Disabled HTTP 401 Challenge ‘Advanced Sanaa 

| b- Autodiscover Digest Authentication Disabled HTTP 401 Challenge Po 

| pL bin Forms Authentication Disabled HTTP 302 Login/Redirect 

coon @ Help 
D-O ep 
> EWs 

bP mapi 

| bP Microsoft-Server-ActiveSync 

| pĝ oaB 

| bi owa 

| Ê PowerShell 

BEL 


pb @ Exchange Back End 


=| Features View |L Content View 
Configuration: ‘localhost’ applicationHost.config , <location path="Default Web Site/PowerShell"> 


Providers: 


Remove 


Select a provider from the list of available providers and click Add 
to add it to the enabled providers. 


Available Providers: 


| 
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Part 2: Scan User Privileges (Windows and MS SQL Database) 


Pre-requisites 


SharePoint Farm Scan User account 

The server farm account requires the following permissions: 

- It must have domain user account permissions. 

- Additional permissions are automatically granted to the SharePoint Farm Service account on 
SharePoint servers that are joined to a server farm. 

1) After you run Setup, machine-level permissions include: 


- Membership in the WSS_ADMIN_WPG Windows security group for the SharePoint Timer 
Service. 


- Membership in WSS_RESTRICTED_WPG for the Central Administration and Timer service 
application pools. 


- Membership in WSS_WPG for the Central Administration application pool. 


2) After you run the configuration wizards, SQL Server and database permissions include: 


- Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint server farm 
configuration database. 


- Membership in the WSS_CONTENT_APPLICATION_POOLS role for the SharePoint_Admin 
content database. 


If these permissions are not satisfied, contact your Setup administrator or SQL Server 
administrator to request these permissions. 


Adding scan user as a SharePoint Shell Admin 


Add-SPShellAdmin 
- Adds a user to the SharePoint_Shell_Access role for the specified database. 


- If you specify only the user, the user is added to the role for the farm configuration database. 


C:\PS>Add-SPShellAdmin -UserName DOMAIN\qualys_scan 


This example adds a new user named “qualys_scan” to the SharePoint_Shell_Access role in the 
farm configuration database only, and also ensures the user is added to the WSS_Admin_WPG 
local group on each server in the farm. 


Using the database parameter the user is added to the role on the farm configuration database, 
the Central Administration content database and the specified database. 


C:\PS>Add-SPShellAdmin -UserName DOMAIN\qualys_scan -database <DB GUID> 


This example adds a new user named “qualys_scan” to the SharePoint_Shell_Access role in both 
the specified content database and the configuration database by passing a database GUID to the 
cmdlet. 


Using the database parameter is the preferred method because most of the administrative 
operations require access to the Central Administration content database 
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Minimum privilege needed to scan the SQL Server portion of SharePoint 
controls with restricted/read-only account 


Please run the scripts provided below, in the order shown. 


If creating a Windows authentication on the SQL Server, start with Step 1a. 


If creating a SQL Server authentication on the SQL Server, start with Step 1b. 


la) Create a Windows Authentication Login for the Scan Account 


This script creates a domain login for the user account to be used for scanning. Provide a domain 
name or local user account, and name of the target database before running the script. Tip - An 
admin needs to create the account on the host first. We recommend creating an account called 
QUALYS_SCAN. 


USE [master] 

GO 

CREATE LOGIN [domain\QUALYS_SCAN] FROM WINDOWS WITH DEFAULT_DATABASE=master 
GO 


1b) Create a SQL Server Authentication Login for the Scan Account 


This script creates a database login for the user account to be used for scanning. Please provide a 
password and the name of the target database before running the script. Tip - We recommend 
creating an account called QUALYS_SCAN. 


USE [master] 

GO 

CREATE LOGIN QUALYS_SCAN WITH PASSWORDE=N [password], DEFAULT_DATABASE=master, 
CHECK_EXPIRATION=ON, CHECK_POLICY=ON 

GO 


2) Create a User Account 
USE [master] 
GO 


CREATE USER [qualys_scan] FOR LOGIN [username created in Step 1] 
GO 


grant SELECT on sys.all_objects to qualys_scan; 

grant SELECT on sys.configurations to qualys_scan; 

grant SELECT on sys.databases to qualys_scan; 

grant SELECT on sys.database_permissions to qualys_scan; 
grant SELECT on sys.syslogins to qualys_scan; 

grant SELECT on sys.trace_events to qualys_scan; 

grant SELECT on sys.traces to qualys_scan; 

grant SELECT on sys.sysaltfiles to qualys_scan; 

grant SELECT on sys.server_principals to qualys_scan; 
grant VIEW ANY DEFINITION TO qualys_scan; 

GO 
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3) Verify Privileges on the Scan Account 


Verify that the QUALYS_SCAN account has all the privileges in the database in order toruna 
successful compliance scan. Log into the database using the “QUALYS_SCAN” account, then run 
the following queries to see if access is available to the account. 


Query Expected Results 


select top 1 1 permission from sys.all_objects 1 


14 


select top 1 1 permission from sys.configurations 


4 


select top 1 1 permission from sys.databases 1 


14 


select top 1 1 permission from sys.database_permissions 


A 


select top 1 1 permission from sys.syslogins 1 


14 


select top 1 1 permission from sys.trace_events 


4a 


select top 1 convert(char(20),serverproperty(‘productversion’)) 12,0:1601'5 
permission 


Did you get different results? Contact your SQL Server DBA to ensure that privileges are 
set up correctly. 


Qualys Authenticated Scanning 7 


Part 3: Verify Scan User Membership and Test Connection by PowerShell 
Script 


Connecting to MS SharePoint Server via PowerShell 


Here are the steps required to connect to PowerShell Virtual Directory using a PowerShell script. 


1) Open PowerShell or PowerShell ISE and insert below code as shown : 


Add-PSSnapin Microsoft.sharepoint.powershell 


Get-SPWebApplication -IncludeCentralAdministration 


2) Run the above code with correct input details as per your host setup and you should be able to 
see the connection result as follows. Following image shows an example scenario. 


File Edit View Tools Debug Add-ons Help 
=] = = e [Fma] 
Leh 4 oa 9 > 3B @ B82 Ela | 
Untitled15.ps1* X A 
Add-PSSnapin Microsoft.sharepoint.powershel] ‘ 


2 Get-SPwebApplication -IncludeCentralAdministration 


PS \Windows \system Add-PSSnapin Microsoft.sharepoint.powershel1 
Get-SPwebApplication -IncludeCentralAdministration 


DisplayName 


pcdev Internet Site ://www.pcdev.com/ 
SharePoint - 29929 - . 115.77 .82:29929/ 
SharePoint - 80 ://win-rgjj18n17hv/ 
SharePoint Central Administ... http://win-rgjj18n17hv:44038 


PS C:\Windows \system32> 


This ensures you are able to connect the PowerShell Virtual Directory using PowerShell with the 
Scan User specified. 


Additional References 


https://docs.microsoft.com/en-us/sharepoint/install/account-permissions-and-security-settings- 
in-sharepoint-2013 


https://docs.microsoft.com/en-us/sharepoint/install/account-permissions-and-security-settings- 
in-sharepoint-server-2016 


https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-server/sharepoint-server- 
cmdlets?view=sharepoint-ps 


Last updated: May 27, 2022 
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